CVE-2025-20225

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-20225
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to a lack of proper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. In the case of Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly. In the case of Cisco ASA and FTD Software, a successful exploit could allow the attacker to partially exhaust system memory, causing system instability such as being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition.

5.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ios-dos-DOESHWHy
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en la función Intercambio de Claves de Internet Versión 2 (IKEv2) del software Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance (ASA) y Secure Firewall Threat Defense (FTD) podría permitir que un atacante remoto no autenticado provoque una fuga de memoria, lo que resulta en una denegación de servicio (DoS). Esta vulnerabilidad se debe a un procesamiento inadecuado de los paquetes IKEv2. Un atacante podría explotar esta vulnerabilidad enviando paquetes IKEv2 manipulados a un dispositivo afectado. En el caso del software Cisco IOS e IOS XE, una explotación exitosa podría permitir al atacante provocar la recarga inesperada del dispositivo. En el caso del software Cisco ASA y FTD, una explotación exitosa podría permitir al atacante agotar parcialmente la memoria del sistema, lo que causa inestabilidad, como la imposibilidad de establecer nuevas sesiones VPN IKEv2. Es necesario reiniciar el dispositivo manualmente para recuperarse de esta situación.

14 Aug 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-14 17:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-20225

Mitre link : CVE-2025-20225

CVE.ORG link : CVE-2025-20225

JSON object : View

Products Affected

No product.

CWE
CWE-401

Missing Release of Memory after Effective Lifetime